Thousands of IDs for sale online


Have you applied for a loan, invested online, or joined an online business group where you were required to submit a scanned copy of your identification card to prove your identity? If your answer is yes, you could be a victim of identity theft in the future.

A cybercriminal is selling the KYC verification files of at least three investment companies in the Philippines. Know Your Customer or KYC is a mandatory process of verifying the clients' identity when they open an account in banks and other BSP supervised financial institutions. KYC documents accepted are UMID card, passport, driver's license, and other government-issued IDs. In the case of these companies, they asked clients to send a scanned copy of their identity cards as an accepted KYC document. The cybercriminal said more than forty thousand users are affected with full name, address, birthday, email address, phone number, bank name, bank account, and other personal information all valid and up-to-date.

Two of the companies affected have users complaining about the way they conduct their business online. One even got a warning from the Securities and Exchange Commission with the threat of fine and imprisonment if the agents of the said company would continue to convince people to invest. The SEC also warned individuals not to support and immediately stop investing in any investment scheme offered by the company. The other investment company has warnings from a security company as "potentially unsafe." Google Safe Browsing, a service created by Google to identify malicious websites, also identified the website as "malicious," meaning unsafe for users to access the site. We are still checking what company is the third entity affected by the leak.

We checked the link on the forum where the alleged KYC documents are on sale. We found more than a hundred various identification cards, including driver's license, passport, Philhealth, UMID, SSS ID, PRC ID, voter's ID, senior citizen ID, and even Barangay ID. Filipino citizens own most of the IDs in the forum, but few IDs are from foreign nationals.

A cybercriminal is selling these KYC-accepted documents from at least three investment companies in the Philippines.

I asked Roren Marie Chin, the Chief for Public Information and Assistance Division of the National Privacy Commission (NPC), what's the worst that could happen if a person's ID is in the data leak. She said that if your ID with personal information is exposed, it could lead to financial or reputational repercussions, and identity theft is the worst that could happen to you. With your ID revealed in leaks, such as those for sale in the online forum, criminals could easily use your identity to commit fraud like unauthorized purchases using your name.

"If your ID is in a data leak, we recommend you immediately secure your accounts by changing your passwords and activating additional security measures, such as 2-factor authentication. Do this regularly and in all your online accounts. Make sure that you use strong passwords and be mindful when posting photos of your ID on social media, if possible, refrain from posting this sensitive information", Chin added.

With more than 40 thousand records that could fall into the wrong hands, the NPC, thru Roren Marie Chin, the Chief for Public Information and Assistance Division, gave these safety tips: "Know your rights and understand your responsibilities as a data subject. You have the right to be informed about the processing of your personal information. And it would be best if you read the privacy notice to understand how the entity will protect your personal information. Minimize the submission of your personal information if possible. Only provide what is necessary and adequate. Determine if the need to submit the data is in the mandate of the company collecting it. Always verify if you can trust the entity with your personal information.

While data leaks in online forums could be fake, there are many Philippine government agencies with databases available to the public via online forums. Among the government sites with legit data-leaks based on our research are these agencies: Department of Environment and Natural Resources (DENR), the Office of Transport Security (OTS), the Industrıal Technology Development Instıtute of the Department Of Scıence And Technology, the Bureau Of Working Conditions of the Department Of Labor And Employment and many others with minor security issues.

This issue of a cybercriminal selling KYC documents is alarming. What makes it worst is that companies with questionable reputations collected these ID cards that are now available to those willing to pay for them.